TODAY'S TOURBUS STOPS: URL Spoofing Patch / Spyware-free RealPlayer

Howdy, y'all, and greetings once again from deep behind the orange
curtain in beautiful Irvine, California, where, at the tone, it will
be exactly five o'clock. DING! :P

TOURBUS is made possible by the kind support of our sponsors. Please
take a moment to visit today's sponsors and thank them for keeping our
little bus of Internet happiness on the road week after week.

On with the show...

Microsoft URL Spoofing Patch
Audience: All PC users

Microsoft released a patch (actually, a critical update) for the URL
spoofing vulnerability in Internet Explorer we first discussed back in
December. [YAY!] To get the patch, just run Windows Update by either
choosing Tools > Windows Update in Internet Explorer or pointing your
web browser to

The patch was issued on Monday, which is kind of odd because Microsoft
usually releases critical updates on the second Tuesday of each month.

Now for the bad news. And, if truth be told, this is bad news only if
you know what RFC 1738 is.

According to the security bulletin accompanying Microsoft's patch,
while the patch fixes Internet Explorer's URL spoofing vulnerability
it also "removes support for handling user names and passwords in HTTP
and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft
Internet Explorer." What does that mean in English? Well, pretend
you want to view a web page at example.com but the page requires you
to type in a username and password. You have two options:

1. Go to http://www.example.com/ and then manually type in your
username and password in the little "enter password" dialog
box that pops-up; or

Notice how, in that second example, the username and password are
embedded into example.com's URL? Technically, you shouldn't be
able to do that. [RFC 1738 specifically states that usernames and
passwords are not allowed in the HTTP URL scheme.] That you *ARE*
able to put usernames and passwords in your URLs is actually a bug.

The bad news, if you can call it that, is that Microsoft's patch fixes
this bug.

What does this mean to you and me? Absolutely nothing. We can still
access every password protected site we have accessed in the past.
And if you have Internet Explorer set up so that it remembers
passwords for you, Internet Explorer will still remember passwords for
you. NOTHING CHANGES... except for our ability to manually embed
usernames and passwords into URLs (like
http://username:password@example.com/). We can't do that anymore.
And that's fine with me. :)

If you want to find out more about Microsoft's latest patch, check out

This page even has a link to Window Update if you can't access it
through Tools > Windows Update. [And, of course, you could always
throw away your PC and just get a Mac, a *nix box, or an abacus--I
hear the latter is MUCH easier to defrag.]

Happy patching! :)

RealPlayer sans spyware
Audience: Everyone

One of the Internet's worst-kept secrets is that RealNetwork's
RealPlayer is kind of sort of spyware-like and that many of
RealPlayer's optional downloads--the extra stuff you can download when
you first get RealPlayer--are full-blown spyware.

Because of that, many people have abandoned RealPlayer and switched to
competing programs like RealAlternative at

RealAlterative is certainly an, um, alternative, but if you are
married to keeping RealPlayer on your PC, Mac, or *nix box without it
spying on you, there may be hope. My good friend Lee Overstreet
recently posted step-by-step instructions on how to download and
install RealPlayer on a PC without having it take over your life.
Just point your web browser to

and click on the "Installing Real One Player" link at the bottom of
the page. Unfortunately, Lee's instructions don't talk about how to
install RealPlayer on a Mac or *nix box and disable its spyware-like
features, but with 100,000+ people on our little bus of Internet
happiness I am sure someone knows where I can find this information.

If you are using the free version of RealPlayer, chances are you have
an old version. Might I suggest you completely uninstall your old
version of RealPlayer--for instructions on how to do this on a PC,
take a look at http://tinyurl.com/ytzw4--and then follow Lee's
instructions to get the newest version?

Better still, you could instead uninstall RealPlayer and then pay a
visit to our friends at the BBC.

Huh? Well, this is kind of hard to believe, but according to an
anonymous poster to the Boing Boing blog,

The BBC made a unique deal with Real Networks which disposes of
their spyware tactics. Basically, if a user clicks on a link to
download Real Player from a BBC website, the referrer script
sends them to a page where they can download an expiry-free,
spyware-free and nuicance-free version of the player. It's
because the BBC have such a stringent public service remit, that
it was offensive to charge people a license fee for BBC content,
then make them pay all over again for the facility to view/listen
to it.

You can download the (supposed) non-spyware-like RealPlayer from the
beeb at